| Cyber attack against government,companies,and schools are endless with the office digitization and the data on the cloud being used widely.Among all types of attacks,APT is the most difficult to analyze.Using sandbox technology to dynamically analyze the APT samples is considered the last line of defense against APT.However,more than 80% of APT samples use a variety of methods to detect the sandbox.APT samples end their malicious behavior when they find themselves running in an abnormal environment.Anti-sandbox generates multiple branches to program analysis in symbolic execution systems.Further,obfuscated code in the harmless branch will cause path explosion and lead to the crash of the symbol execution system.Through the analysis of symbolic execution and anti-sandbox detection methods appearing in the APT reports,we choose ANGR as basic system.We design three plugins: Win32 API hook,VEX instruction patching,and memory structure fulfillment.In addition,a bottom scheme are also added into the prototype system.The prototype system only executes the branch that contains malicious behavior.It can also automatically generates IOCs for anti-sandbox which represent the characteristics of the attacker's tool.In the experimental,we using the open source anti-sandbox detection software: al-khaser and paranoid fish.The prototype system is vertically compared with ANGR,which proves that the prototype system can effectively avoid redundant branches;the prototype system is horizontally compared with the commercial sandbox,which proves that the prototype system is suitable for more anti-sandbox detection methods.Finally,we analyze the backdoor program Kasidet.The result shows that all the anti-sandbox detection methods are successfully bypassed,and the anti-sandbox IOC was generated. |
PDF Full Text Request